An Iranian state-sponsored threat actor known as APT42 has been observed targeting individuals and organizations of interest to the Islamic Revolutionary Guards Corps (IRGC) as part of a new espionage-focused campaign.
This activity was detected in early September 2025, is assessed to be ongoing, and has been codenamed “SpearSpecter” by the Israel National Digital Agency (INDA).
“This campaign systematically targets high-value defense and government officials using personalized social engineering tactics,” said INDA researchers Simi Cohen, Adi Pick, Idan Beityousev, Hilla David, and Yaniv Goldman. “This includes inviting the target to prestigious meetings or arranging important meetings.”
What is notable about this effort is that it extends to the target’s family members, creating a broader attack surface and putting even more pressure on the primary target.
APT42 was first publicly documented by Google Mandiant in late 2022 and is another IRGC tracked as APT35, CALANQUE, Charming Kitten, CharmingCypress, Cobalt Illusion, Educated Manticore, GreenCharlie, ITG18, Magic Hound, Mint Sandstorm (formerly Phosphorus), TA453, Yellow Garuda Overlap with threat clusters is detailed.
One of the group’s hallmarks is its ability to launch persuasive social engineering campaigns that can run for days or weeks to build trust with targets before sending malicious payloads or getting them to click on booby-trapped links. In some cases, they masquerade as known contacts to create the illusion of authenticity.
As of June 2025, Check Point detailed a wave of attacks in which attackers approached Israeli technology and cybersecurity experts in emails and WhatsApp messages posing as technology executives and researchers.
Goldman told Hacker News that the SpearSpectre and June 2025 campaigns are separate and were carried out by two different subgroups within APT42.
“While our campaign was executed by APT42’s Cluster D (focused on malware-based operations), the campaign detailed by Check Point was executed by the same group’s Cluster B (focused on credential harvesting),” Goldman added.
INDA said SpearSpecter is flexible in that an adversary can fine-tune its approach based on target value and operational objectives. In a series of attacks, victims are redirected to a fake conference page designed to capture their credentials. On the other hand, if the end goal is persistent long-term access, the attack leads to the deployment of a known PowerShell backdoor called TAMECAT, which has been used repeatedly in recent years.
To do so, the attack chain involves sending a malicious link to a document required for an upcoming meeting or conference, impersonating a trusted WhatsApp contact. Clicking the link initiates a redirection chain that leverages the “search-ms:” protocol handler to serve a WebDAV-hosted Windows shortcut (LNK) disguised as a PDF file.
The LNK file establishes a connection with the Cloudflare Workers subdomain to obtain a batch script that acts as a loader for TAMECAT. Thereby, TAMECAT uses various modular components to facilitate data extraction and remote control.
The PowerShell framework uses three different channels for command and control (C2): HTTPS, Discord, and Telegram. This suggests a threat actor’s goal to maintain persistent access to a compromised host even if one route is detected and blocked.
For Telegram-based C2, TAMECAT listens for incoming commands from an attacker-controlled Telegram bot and based on that retrieves and executes additional PowerShell code from various Cloudflare Workers subdomains. For Discord, webhook URLs are used to send basic system information and retrieve commands from hardcoded channels.
“Analysis of accounts recovered from the attacker’s Discord server suggests that the command search logic relies on messages from specific users, allowing the attacker to coordinate multiple attacks using the same channel while delivering commands specific to individual infected hosts, effectively building a collaborative space on a single infrastructure,” INDA researchers said.
Additionally, TAMECAT is equipped with the ability to perform reconnaissance, collect files matching specific extensions, steal data from web browsers such as Google Chrome and Microsoft Edge, collect Outlook mailboxes, and take screenshots at 15-second intervals. Data is extracted via HTTPS or FTP.
It also employs various stealth techniques to avoid detection and resist analysis efforts. These include encrypting telemetry and controller payloads, obfuscating source code, using resident binaries (LOLBins) to hide malicious activity, and operating primarily in memory, leaving little trace on disk.
“The SpearSpecter campaign infrastructure reflects a sophisticated blend of agility, stealth, and operational security designed to sustain long-term espionage against high-value targets,” INDA said. “Operators leverage a multifaceted infrastructure that combines legitimate cloud services and attacker-controlled resources to enable seamless initial access, persistent command and control (C2), and secret data exfiltration.”
Source link
